[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

Keyboard Interrupt Hook using I/O APIC

& i$ G: p: y; C, \; ^By: chpie
0 b$ N$ ~4 B  P  @Keyboard Interrupt Hooking by manipulating the I/O APIC
$ H$ a; b+ V' Q2 Jtested on the winXP, Pentium D Hyper-threading Enabled.
0 f8 ]7 W3 w# z9 N

( P4 P9 a5 Q  x: Q* `Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

4 Q; p* h; P9 S% q$ [3 o- It is higher priority of the hooking than the direct
$ E/ |' E2 Y  ~, f* F) z7 C1 omodification of the I/O APIC's vector.
1 b& a! Y, ~( [: C7 d& ]5 h- The vector can be hidden on the thread getting the keyboard
6 @8 ]" O* k' l* Z; o9 d6 U6 Y# H. \vector from the I/O APIC.
' J" U! L2 L7 T5 Y! {- U  u6 g
Flow ::

1. IRQ 1 Assert !!!
* I4 ^7 F  [7 t( ^7 ]2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
9 f/ {- f8 Z% q: [8 L  q. ^6. The processor Assert the INTA signal.
2 g* i) E, @: ]5 o" h7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
0 C3 X( b% z& h: C- H$ a10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
/ o1 Y2 i8 x" y( W8 j1 E12. our interrupt handler executed.

4 i7 K1 E7 l! x# w2 o& p
sourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip